NIS2 places different supervisory expectations on essential and important entities. Your classification affects the weight of obligations and potential penalties. Select the description that best fits your organisation.
NIS2 generally applies to medium and large organisations (50+ employees or €10M+ turnover) in listed essential and important sectors, with some exceptions. Classification should be confirmed against the national law of each relevant Member State.
NIS2 requires cybersecurity risk management across network and information systems. Where AI systems, AI-enabled services, foundation model providers, or agentic workflows support those systems, influence operational decisions, or introduce cyber risk, they should be assessed within the NIS2 governance, risk management, incident reporting, and supply-chain security framework.
Answer all ten questions to generate your exposure verdict.
NIS2 national transposition is still uneven across EU Member States. If your organisation operates in multiple EU jurisdictions, a strong group-level compliance posture may still require country-specific validation against national law and local competent authority expectations. This is a separate risk from your technical control score.